Decrypt a blob from Azure blob storage with key vault using version 12.x Azure storage libraries

Question

I am trying to download and decrypt a blob from azure blob storage using vault key just like this tutorial, except that the linked tutorial is outdated. I am using the latest Azure.Storage.Blobs Nuget Package and do not see any way to do this as there is no BlobRequestOptions or BlobEncryptionPolicy object or similar in the package as is seen in the tutorial. Everything that I look up points me back to the linked tutorial that is again outdated.

Here is my current code:

BlobServiceClient serviceClient = new BlobServiceClient("connectionString");
BlobContainerClient containerClient = serviceClient.GetBlobContainerClient("containerName");
BlobClient blobClient = containerClient.GetBlobClient("blobName");
await blobClient.DownloadToAsync(myStream);

Somewhere in here I would like to pass in my key vault key resolver to decrypt the blob like in the tutorial.

Is there a way to do that?

If not, what is the current best way to decrypt blobs using key vault?

Answer 1

You can use

Azure.Storage.Blobs.Specialized.SpecializedBlobExtensions
        public static BlobClient WithClientSideEncryptionOptions(this BlobClient client, ClientSideEncryptionOptions clientSideEncryptionOptions);

Answer 2

For now, in Azure.Storage.Blobs, you can use EncryptionScope in BlobClientOptions.

In Azure.Storage.Blobs, you can use EncryptionScope in BlobClientOptions. You could refer to this article to create encryption scope. But the feature is in preview.

After configure azure storage container, you can upload blob with the specify encryption scope you created before and add the BlobClientOptions into BlobServiceClient.

var options = new BlobClientOptions();
options.EncryptionScope= "joeyencrypt";
BlobServiceClient blobServiceClient = new BlobServiceClient("connectionString",options);